MicrosoftDocs
diff --git a/‎articles/api-management/credentials-configure-common-providers.md‎
Lines changed: 6 additions & 2 deletions b/‎articles/api-management/credentials-configure-common-providers.md‎
Lines changed: 6 additions & 2 deletions
diff --git a/‎articles/api-management/credentials-how-to-azure-ad.md‎
Lines changed: 16 additions & 14 deletions b/‎articles/api-management/credentials-how-to-azure-ad.md‎
Lines changed: 16 additions & 14 deletions
diff --git a/‎articles/api-management/credentials-how-to-github.md‎
Lines changed: 14 additions & 13 deletions b/‎articles/api-management/credentials-how-to-github.md‎
Lines changed: 14 additions & 13 deletions
@@ -5,7 +5,7 @@ services: api-management
 author: dlepow
 ms.service: azure-api-management
 ms.topic: how-to
-ms.date: 10/03/2025
+ms.date: 12/05/2025
 ms.author: danlep
 ms.custom: sfi-image-nochange
 # Customer intent: As an Azure service administrator, I want to learn how to configure common credential providers in the API Management credential manager.
@@ -80,7 +80,11 @@ API Management supports several providers for popular SaaS offerings, including
 
 Required settings for these providers differ, depending on the provider, but are similar to those for the [generic OAuth providers](#generic-oauth-providers). Consult the developer documentation for each provider.
 
+> [!NOTE]
+> Currently, the Salesforce provider doesn't include an expiry claim in its tokens. As a result, Credential Manager can't detect when these tokens expire and doesn't expose a mechanism to force refresh. With the Salesforce provider, you need custom refresh logic to manually reauthorize the connection to get a new token when the current token expires.
+
+
 ## Related content
 
 * Learn more about managing [connections](credentials-overview.md) in API Management.
-* Create a connection for [Microsoft Entra ID](credentials-how-to-azure-ad.md) or [GitHub](credentials-how-to-github.md).
+* Create a connection for [Microsoft Graph API](credentials-how-to-azure-ad.md) or [GitHub API](credentials-how-to-github.md).
@@ -5,7 +5,7 @@ services: api-management
 author: dlepow
 ms.service: azure-api-management
 ms.topic: how-to
-ms.date: 10/01/2025
+ms.date: 12/08/2025
 ms.author: danlep
 ms.custom: sfi-image-nochange
 ---
@@ -14,7 +14,7 @@ ms.custom: sfi-image-nochange
 
 [!INCLUDE [api-management-availability-all-tiers](../../includes/api-management-availability-all-tiers.md)]
 
-This article guides you through the steps required to create a [managed connection](credentials-overview.md) to the Microsoft Graph API within Azure API Management. The authorization code grant type is used in this example.
+This article guides you through the steps required to create a [managed connection](credentials-overview.md) to the Microsoft Graph API within Azure API Management. Use the Microsoft Entra identity provider to call the Microsoft Graph API. This example uses the authorization code grant type.
 
 You learn how to:
 
@@ -45,28 +45,29 @@ Create a Microsoft Entra application for the API and give it the appropriate per
 
 1. Search for and select **Microsoft Entra ID**.
 
-1. Under **Manage** on the sidebar menu, select **App registrations**, and then select **+ New registration**.
+1. Under **Manage** on the sidebar menu, select **App registrations**, then select **+ New registration**.
 
-1. On the **Register an application** page, enter your application registration settings:
+1. On **Register an application**, enter your application registration settings:
     1. In **Name**, enter a meaningful name for the app, such as *MicrosoftGraphAuth*.
     1. In **Supported account types**, select an option that suits your scenario, for example, **Accounts in this organizational directory only (Single tenant)**.
     1. Set the **Redirect URI** to **Web**,  and enter `https://authorization-manager.consent.azure-apim.net/redirect/apim/<YOUR-APIM-SERVICENAME>`, substituting the name of the API Management service where you'll configure the credential provider.
     1. Select **Register**.
 
         :::image type="content" source="media/credentials-how-to-azure-ad/create-registration.png" alt-text="Screenshot of creating a Microsoft Entra app registration in the portal.":::
 
-1. On the sidebar menu, select **API permissions**, and then select **+ Add a permission**.
+1. On the sidebar menu, select **Manage** > **API permissions**.
+    Make sure the permission **User.Read** with the type *Delegated* is already added.
+
+1. Select **+ Add a permission**.
     :::image type="content" source="./media/credentials-how-to-azure-ad/add-permission.png" alt-text="Screenshot of adding an API permission in the portal.":::
 
-    1. Select **Microsoft Graph**, and then select **Delegated permissions**.
-        > [!NOTE]
-        > Make sure the permission **User.Read** with the type *Delegated* has already been added.
-    1. Type **Team**, expand the **Team** options, and then select **Team.ReadBasic.All**. Select **Add permissions**.
+    1. Select **Microsoft Graph**, then select **Delegated permissions**.
+    1. Type **Team**, expand the **Team** options, then select **Team.ReadBasic.All**. Select **Add permissions**.
     1. Next, select **Grant admin consent for Default Directory**. The status of the permissions changes to **Granted for Default Directory**.
 
-1. On the sidebar menu, select **Overview**. On the **Overview** page, find the **Application (client) ID** value and record it for use in Step 2.
+1. On the sidebar menu, select **Overview**. On **Overview**, find the **Application (client) ID** value and record it for use in Step 2.
 
-1. On the sidebar menu, select **Certificates & secrets**, and then select **+ New client secret**.
+1. On the sidebar menu, select **Manage** >**Certificates & secrets**, then select **+ New client secret**.
     :::image type="content" source="media/credentials-how-to-azure-ad/create-secret.png" alt-text="Screenshot of creating an app secret in the portal.":::
 
     1. Enter a **Description**.
@@ -78,10 +79,10 @@ Create a Microsoft Entra application for the API and give it the appropriate per
 
 1. Go to your API Management instance.
 
-1. Under **APIs** on the sidebar menu, select **Credential manager**, and then select **+ Create**.
+1. Under **APIs** on the sidebar menu, select **Credential manager**, then select **+ Create**.
     :::image type="content" source="media/credentials-how-to-azure-ad/create-credential.png" alt-text="Screenshot of creating an API credential in the portal.":::
 
-1. On the **Create credential provider** page, enter the following settings, and select **Create**:
+1. On **Create credential provider**, enter the following settings, and select **Create**:
 
     |Settings  |Value  |
     |---------|---------|
@@ -96,6 +97,7 @@ Create a Microsoft Entra application for the API and give it the appropriate per
     |**Scopes**     |    Optional for Microsoft Entra identity provider. Automatically configured from Microsoft Entra app's API permissions.      |
 
 1. Select **Create**.
+1. When prompted, review the OAuth redirect URL that's displayed, and select **Yes** to confirm that it matches the URL you entered in the app registration.
 
 ## Step 3: Configure a connection
 
@@ -167,7 +169,7 @@ On the **Connection** tab, complete the steps for your connection to the provide
 
 The preceding policy definition consists of two parts:
 
-* The [get-authorization-context](get-authorization-context-policy.md) policy fetches an authorization token by referencing the credential provider and connection that were created earlier. 
+* The [get-authorization-context](get-authorization-context-policy.md) policy fetches an authorization token by referencing the credential provider and connection that you created earlier. 
 * The [set-header](set-header-policy.md) policy creates an HTTP header with the fetched access token.
 
 ## Step 5: Test the API 
 
@@ -5,7 +5,7 @@ services: api-management
 author: dlepow
 ms.service: azure-api-management
 ms.topic: how-to
-ms.date: 10/02/2025
+ms.date: 12/08/2025
 ms.author: danlep
 ms.custom: sfi-image-nochange
 ---
@@ -14,7 +14,7 @@ ms.custom: sfi-image-nochange
 
 [!INCLUDE [api-management-availability-all-tiers](../../includes/api-management-availability-all-tiers.md)]
 
-In this article, you learn how to create a managed [connection](credentials-overview.md) in API Management and call a GitHub API that requires an OAuth 2.0 token. The authorization code grant type is used in this example.
+In this article, you learn how to create a managed [connection](credentials-overview.md) in API Management and call a GitHub API that requires an OAuth 2.0 token. This example uses the authorization code grant type.
 
 You learn how to:
 
@@ -27,8 +27,8 @@ You learn how to:
 
 ## Prerequisites
 
-* A GitHub account is required.
-* A running API Management instance. If you need to, [create an Azure API Management instance](get-started-create-service-instance.md).
+* A GitHub account.
+* A running API Management instance. If you need one, [create an Azure API Management instance](get-started-create-service-instance.md).
 * Enable a [system-assigned managed identity](api-management-howto-use-managed-service-identity.md) for API Management in the API Management instance.
 
 ## Step 1: Register an application in GitHub
@@ -41,20 +41,21 @@ Create a GitHub OAuth app for the API and give it the appropriate permissions fo
     :::image type="content" source="media/credentials-how-to-github/register-application.png" alt-text="Screenshot of registering a new OAuth application in GitHub.":::
     1. Enter an **Application name** and **Homepage URL** for the application. For this example, you can supply a placeholder URL such as `http://localhost`.
     1. Optionally, add an **Application description**.
-    1. In **Authorization callback URL** (the redirect URL), enter `https://authorization-manager.consent.azure-apim.net/redirect/apim/<YOUR-APIM-SERVICENAME>`, substituting the name of the API Management instance where you will configure the credential provider.  
+    1. In **Authorization callback URL** (the redirect URL), enter `https://authorization-manager.consent.azure-apim.net/redirect/apim/<YOUR-APIM-SERVICENAME>`, substituting the name of the API Management instance where you configure the credential provider.  
+    1. Optionally select **Enable device flow** (not required for this example).
 1. Select **Register application**.
-1. On the **General** page, copy the **Client ID**, which you'll use in Step 2.
-1. Select **Generate a new client secret**. Copy the secret, which won't be displayed again, and which you'll use in Step 2. 
+1. On the **General** page, copy the **Client ID**, which you use in Step 2.
+1. Select **Generate a new client secret**. Copy the secret, which isn't displayed again. You configure the secret in Step 2. 
 
     :::image type="content" source="media/credentials-how-to-github/generate-secret.png" alt-text="Screenshot showing how to get client ID and client secret for the application in GitHub.":::
 
 ## Step 2: Configure a credential provider in API Management
 
-1. Sign into the [Azure portal](https://portal.azure.com) and go to your API Management instance.
+1. Sign in to the [Azure portal](https://portal.azure.com) and go to your API Management instance.
 1. On the left menu, select **APIs** > **Credential manager** > **+ Create**.
 
     :::image type="content" source="media/credentials-how-to-azure-ad/create-credential.png" alt-text="Screenshot of creating an API Management credential in the Azure portal.":::   
-1. On the **Create credential provider** page, enter the following settings:
+1. On **Create credential provider**, enter the following settings:
 
     |Settings  |Value  |
     |---------|---------|
@@ -66,7 +67,7 @@ Create a GitHub OAuth app for the API and give it the appropriate permissions fo
     |**Scope**     |    For this example, set the scope to *User*      |
 
 1. Select **Create**.
-1. When prompted, review the OAuth redirect URL that's displayed, and select **Yes** to confirm that it matches the URL you entered in the app registration.
+1. When prompted, review the OAuth redirect URL that's displayed, and select **Yes** to confirm that it matches the URL you entered in the GitHub app registration.
 
 ## Step 3: Configure a connection
 
@@ -82,7 +83,7 @@ On the **Connection** tab, complete the steps for your connection to the provide
 
 ## Step 4: Create an API in API Management and configure a policy
 
-1. Sign into the [Azure portal](https://portal.azure.com) and go to your API Management instance.
+1. Sign in to the [Azure portal](https://portal.azure.com) and go to your API Management instance.
 1. On the left menu, select **APIs** > **APIs** > **+ Add API**.
 1. Select **HTTP** and enter the following settings, then select **Create**.
 
@@ -92,7 +93,7 @@ On the **Connection** tab, complete the steps for your connection to the provide
     |**Web service URL**     |  `https://api.github.com`       |
     |**API URL suffix**     |  *githubuser*       |
 
-1. Navigate to the newly created API and select **Add Operation**. Enter the following settings and select **Save**.
+1. Go to the new API and select **Add Operation**. Enter the following settings and select **Save**.
 
     |Setting  |Value  |
     |---------|---------|
@@ -109,7 +110,7 @@ On the **Connection** tab, complete the steps for your connection to the provide
     |**URL** for GET     |  /user/followers |
 
 1. Select **All operations**. In the **Inbound processing** section, select the (**</>**) (code editor) icon.
-1. Copy and paste the following in the policy editor. Make sure the `provider-id` and `authorization-id` values in the `get-authorization-context` policy correspond to the names of the credential provider and connection, respectively, that you configured in the preceding steps. Select **Save**.
+1. Copy and paste the following code in the policy editor. Make sure the `provider-id` and `authorization-id` values in the `get-authorization-context` policy correspond to the names of the credential provider and connection, respectively, that you configured in the preceding steps. Select **Save**.
 
     ```xml
     <policies>